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Vulnerability Management Defined 


| = Vulnerability Management consists of the end-to-end 
_ processes from discovering your network, to assessing 
your assets, analyzing the results and remediating your 


exposures 
Discovery 
~ F N 
Remediation < (2) Assessment 


Q QualysGuard eng" 


Analysis 


sere amen amen nanan nonnene nnonser eee ness noen ass seeren seere ess rosenes noens noens een e sensoren e ane es nese sense nesen eee ene es ne ennneeseeanensses ease essensen nesen ess ee sep. seer 


i Oo QUALYS 3 ON DEMAND VULNERABILITY MANAGEMENT ` 


Vulnerability Management Defined by Gartner 


IT Security Management's Role in 
Vulnerability Management 


Audit and Policy 
Compliance Tools 
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= Proactively identify vulnerabilities in hopes of 
remediating them before they are exploited 

manually (hacker) or automatically (worm / virus) 
= Accurately understand the risk to the enterprise 
— so mitigation can be prioritized 

— At any given point in time 

: — Trending over time 
= Augment, complement, & enhance other security 
— solution investments (e.g. IDS, AV, FWs, etc.) 
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Vulnerability Management Best Practices 


| 1. Know Your Network 

| 2. Automate 

| — Assess Consistently 

— Assess Regularly 

Integrate 

Distribute Use 

— Individuals 

| — Scan Engines 

| 5. Report on risk and vulnerabilities 


rå 
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== Map your network, discover your hosts 
| — Much of the network risk is introduced by unknown 
devices or devices that are not owned / company 
managed 
e Examples: pseudo-appliances, consultant's & contractor's 
: laptops, non-standard or approved IP devices 
-= Deploy vulnerability scanners where necessary 


— Don tt limit your ability to assess risk to your enterprise 
by not having vulnerability scan engines where they 
are required 


— Must put dedicated scanners on the Internet, in each 
DMZ, and on the internal network 
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| = VM can be used to secure your enterprise 
= proactively if you scan consistently 


= Inconsistent scanning leads to false positives and 
false negatives 
= Automation > Consistency 
| — Scan for the same vulnerabilities (plus new 
vulnerabilities) 
— Scan the same ports / services 
— Scan at the same speed / network impact 


— Scan using the same scanner from the same network 
vantage point 
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Vulnerability Management can be a proactive security 
solution — if performed regularly 


— Must perform regular (e.g. weekly) assessments to react to 
accurate and current vulnerability data 


— Automate your network discovery and vulnerability scan tasks 
Imbed Vulnerability Management in existing and new 
DrFOCESSES 

— Device build processes 

— Monthly maintenance processes 

— Change management processes 
80% of Qualys customers run recurring scans at least 
monthly 


60% of Qualys customers run recurring scans weekly 
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= Vulnerability data, when integrated with other 

security and operations tools and information, can 

be very powerful 

— Enhance your IDS investment; eliminate false positives 
by integrating VM data with IDS data 

— Integrate your VM solution with your change 
management / trouble ticketing solution or processes 

— Further automate patch application / patch 
management / configuration management 


e When missing patches or non-standard configurations are 
found on select devices, automate the remediation 


— Integrate to perform network quarantine 
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Step 4: Distribute Use - Individuals 


—= Enterprise Vulnerability Management tasks 

_ should be performed by more than just the 
security team 

Use ‘least privileges’ to assign select rights to: 
— Internal Audit 

— Systems and Network Administrators 

— Desktop Management teams 

— Technical and non-technical individuals 
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-= Vulnerabilities must be assessed from the 
independent 3" party Internet perspective 

— ‘script kiddies’ are scanning you, shouldn't you know 
| what they can see? 
= Vulnerabilities must be assessed from the DMZs 
| — Need localized, authenticated scanning of these assets 
| for full knowledge of vulnerabilities | 
= Vulnerabilities must be assessed from the Internal — 
-= network | 


— Majority of devices and least number of security layers 
reside here 
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“= Vulnerability # Risk 


— Vulnerabilities are exposures on assets due to software — 


weakness or device misconfiguration | 
— Risk considers the value of the asset and the mitigating _ 


| factors in place against the vulnerability 
= Example: same critical windows patch missing on 
2 hosts; exploitable over port 80 
— Host 1: Corporate Web Server 


— Host 2: Joe User's Laptop 
— The vulnerability on the 2 hosts are the same, but the 
risk to the organization is much higher on the corporate 


| web server | 
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Enterprise Vulnerability Management Solution 
Requirements 


= Single solution for external and internal VM 

; — Low TCO 

3 — Consolidated reporting 

= Scaleable; easily deployable on distributed networks 
_= Network-based. Agents leave you exposed 


— With agents, it's impossible to assess risk on all devices 
e Rogue devices, non-standard devices, network devices) 


_= Maintenance Free, Auto-updating 
= Accurate & Comprehensive 
= Secure 
: — Data encryption 
— No impact on security architecture 


| = Clientless Web Interface 
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| = Vulnerability Management solution available on demand 


-= Software-free, management free solution 

| — Auto-updating 

: — No software to install or maintain 

= Industry’s most comprehensive Vulnerability 
KnowledgeBase ~ 3700 vulnerability signatures, updated 
= daily 

-= Most accurate vulnerability scanner with less than .003% 
false positive rate 

«= Centralized repository automatically consolidates and 

= aggregates all VM data for reporting 
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| = Uniquely capable of vulnerability scanning from 3 party 
| Internet perspective, critical for assessing Internet risk 

| = Internal and localized DMZ vulnerability scanning using 
secure and hardened Scanner Appliances 

| = RBAC model allows organizations to easily distribute VM 
tasks 

| = Non-intrusive / non-disruptive scanning with auto-throttling 
intelligence 

| = Built-in comprehensive remediation workflow 

| = ‘Out of the Box’ XML API for seamless integration with 
other enterprise solutions 
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Sample QualysGuard 


Executive Report 


= Summary charts 
show risk over 
time 

= Can choose what 
data Is 
represented 


— Over what period 
of time 


— Select assets to 
report on 


— etc. 


Business Critical Executive Report 


03/24/2004 
Customer Name: John Doe Trend Analysis: Last 5 months 
Template Title: Business Critical Executive Report Include Detailed Results: No 
IPs Scanned: 3 Sort by: Host 
Date Range: 10/21/2003 - 03/24/2004 
Filters: Vulnerability Checks: Possible threats, Information gathered, Disabled checks, Ignored checks 
Groups/IPs: Critical Assets, Value Assets, Important Assets, Non-Important 
Summary of Vulnerabilities 
Vulnerabilities Total: 65 (+19) 0| ETNE 40 55/100 
Business Risk Trend per Group | 
188 Groups Trend 
W 44/100 Critical Assets 7 
HB 63/100 Value Assets +5 
x m 39/100 Important Assets +5 
2 E 28/100 Non-Important 0 
a 
[3] 
È 
A 
F] 
a) 


8+ r r T T T T T T T T 1 
10/22 11/05 11/19 12/03 12/17 12/31 01/14 01/28 02/11 02/25 03/10 03/24 
18:36 


Vulnerabilities by Status 
4 


Date 
| Top 5 Vulnerable Categories 

Status Web Server 
Hå New General remote Services 
D 61 Active col 
Ho Re-Opened 
[E 48 Fixed TCP/IP 
E 52 Changed Windows 


sanse annan nna runer 


ON DEMAND VULNERABILITY MANAGEMENT 


Sample Technical Vulnerability Report 


64.41.134.60 (demo02.qualys.com, DEMO02) Windows 2000/XP 
Vulnerabilities Total: | Security risk TB 
by Severity 5 Biggest Categories 
Severity Vulnerabilities Category Vulnerabilities 
5 26 Web server 42 
4 17 CGI 30 
3 37 Information gathering 13 
2 14 TCPAP 10 
1 25 Windows 9 


v 5 MS-SQL 8.0 UDP Slammer Worm Buffer Overflow Vulnerability port 1434/udp 


QID: 19070 Category: Database CVE ID: CAN-2002-0649 
First Detected: 06/20/2004 at 15:22:42 Last Detected: 06/20/2004 at 15:22:42 Times Detected: 1 


DESCRIPTION: 
Your MS-SQL 8.0 server is NOT patched for the slammer worm buffer overflow: vulnerability. 


This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow’. Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376 bytes and 
send them to randomly chosen IP addresses on port 1434/udp. If the packet is sent to a vulnerable machine, this machine vill become infected and will also begin to propagate. Beyond the scanning activity for new hosts, the current 
variant of this worm has no other payload. 


Activity of this worm is readily identifiable on å network by the presence of 376-byte UDP packets. These packets appear to be originating from seemingly random IP addresses and destined for port 1434/udp. 


CONSEQUENCES: 


Compromise by the worm confirms that a system is vulnerable to allowing å remote attacker to execute arbitrary code as the local SYSTEM user. Subsequently, it's possible for the attacker to leverage å local privilege escalation exploit in 
order to gain Administrator access to the vulnerable system. 


The high volume of 1434/udp traffic generated by hosts infected with the worm trying to find and compromise other SQL Server computers may itself lead to performance issues (including possible denial-of-service conditions) for 
Internet-connected hosts or for those computers on networks with compromised hosts. 


SOLUTION: 

Microsoft has released patches to address this vulnerability. Check Microsoft's Download site for updates. 
RESULT: 

No results available 
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Where do you go from here? 


| = Trial QualysGuard for FREE 
| http://www.qualys.com/worm 
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Thank you 
elevin@qualys.com 
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